| Sales | 0208 045 4945 | 0800 458 4545 |
| Support | 0208 045 4944 | 0800 230 0032 |
| Sales | 0208 045 4945 | 0800 458 4545 |
| Support | 0208 045 4944 | 0800 230 0032 |
26 Oct 2011
Researchers in Germany claim to have found flaws in Amazon Web Services (AWS) that they believe will exist in many cloud architectures. The flaws will allow attackers to gain administrative rights to therefore access to all user data.
AWS have been informed of the security holes and fixed them. "No customers have been impacted," a spokesperson for AWS said in an email. "It is important to note that this potential vulnerability involved a very small percentage of all authenticated AWS API calls that use non-SSL endpoints and was not a potentially widespread vulnerability as has been reported."
The team of researchers from Ruhr University Bochum used a variety of XML signature-wrapping attacks to gain administrative access to customer accounts, create new instances of the customer's cloud, add images and delete them. The researchers also used cross-site scripting attacks against the open source, private cloud software framework Eucalyptus.
The Amazon service was also found to be susceptible to cross-site scripting attacks.
"It's not only a problem of Amazon's," says Juraj Somorovsky, one of the researchers. "These are general attacks. Public clouds are not so secure as they seem to be. These problems could be found in other cloud frameworks also."
Amazon has published a list of best practices that, if followed, would have prevented these attacks as well as others:
This research illustrates that as with all technologies there are security flaws within the cloud but by following best practice guidelines businesses can significantly reduce the risks.